according to trivy sapcc/mosquitto-exporter has some vulnerabilities in go libraries:
┌─────────────────────────────────────┬────────────────┬──────────┬────────────────────────────────────┬───────────────────────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├─────────────────────────────────────┼────────────────┼──────────┼────────────────────────────────────┼───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/prometheus/client_golang │ CVE-2022-21698 │ HIGH │ v1.11.0 │ 1.11.1 │ prometheus/client_golang: Denial of service using │
│ │ │ │ │ │ InstrumentHandlerCounter │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-21698 │
├─────────────────────────────────────┼────────────────┼──────────┼────────────────────────────────────┼───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/net │ CVE-2021-33194 │ HIGH │ v0.0.0-20200625001655-4c5254603344 │ 0.0.0-20210520170846-37e1c6afe023 │ golang: x/net/html: infinite loop in ParseFragment │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-33194 │
├─────────────────────────────────────┼────────────────┼──────────┼────────────────────────────────────┼───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/net │ CVE-2021-44716 │ HIGH │ v0.0.0-20200625001655-4c5254603344 │ 0.0.0-20211209124913-491a49abca63 │ golang: net/http: limit growth of header canonicalization │
│ │ │ │ │ │ cache │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-44716 │
│ ├────────────────┼──────────┤ ├───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-31525 │ MEDIUM │ │ 0.0.0-20210428140749-89ef3d95e781 │ golang: net/http: panic in ReadRequest and ReadResponse when │
│ │ │ │ │ │ reading a very large... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-31525 │
├─────────────────────────────────────┼────────────────┼──────────┼────────────────────────────────────┼───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/sys │ CVE-2022-29526 │ MEDIUM │ v0.0.0-20210603081109-ebe580a85c40 │ 0.0.0-20220412211240-33da011f77ad │ golang: syscall: faccessat checks wrong group │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-29526 │
└─────────────────────────────────────┴────────────────┴──────────┴────────────────────────────────────┴───────────────────────────────────┴──────────────────────────────────────────────────────────────┘
way to reproduce:
trivy image sapcc/mosquitto-exporter
2022-07-29T12:45:33.719+0200 INFO Need to update DB
2022-07-29T12:45:33.719+0200 INFO DB Repository: ghcr.io/aquasecurity/triv y-db
2022-07-29T12:45:33.719+0200 INFO Downloading DB...
33.27 MiB / 33.27 MiB [------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 24.07 MiB p/s 1.6s
2022-07-29T12:45:36.525+0200 INFO Vulnerability scanning is enabled
2022-07-29T12:45:36.525+0200 INFO Secret scanning is enabled
2022-07-29T12:45:36.525+0200 INFO If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-07-29T12:45:36.525+0200 INFO Please see also https://aquasecurity.github.io/trivy/v0.29.2/docs/secret/scanning/#recommendation for faster secret detection
2022-07-29T12:45:38.557+0200 INFO Number of language-specific files: 1
2022-07-29T12:45:38.557+0200 INFO Detecting gobinary vulnerabilities...
Hello,
according to trivy sapcc/mosquitto-exporter has some vulnerabilities in go libraries:
way to reproduce:
trivy can be found here: https://github.com/aquasecurity/trivy
can someone update the go libraries ?
thanks!